From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6803364431668445184 X-Received: by 2002:a5d:4dcb:: with SMTP id f11mr37040490wru.174.1588147897470; Wed, 29 Apr 2020 01:11:37 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:e512:: with SMTP id j18ls32324255wrm.9.gmail; Wed, 29 Apr 2020 01:11:37 -0700 (PDT) X-Google-Smtp-Source: APiQypKd3OFEBypAUIIyAP5k0PEmoEgMCdW0Y6VlklmcdUUyEAyCTA3dvZfJnJ5ZYKY9zr/0czTp X-Received: by 2002:adf:f30c:: with SMTP id i12mr39480495wro.426.1588147896942; Wed, 29 Apr 2020 01:11:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588147896; cv=none; d=google.com; s=arc-20160816; b=QRCE9jNgBpYu1VRL1w45SH1rFazj+7A3Uby3k4EgBVn8j0suI7qXwkwNva+hzQ4F/p 0Kx+q4aDI5DlEdMdVLBmnnX0vYfat7CcCritjdIXRPTjnPfTse0vr07YCgO5BatpL/lp 6exmtjB0XUxYH/f61RRTj3aUUk2gjnH6Ts66WiPayNPO2JZGgHHP8zzWML1g5Bi3v9vN oFSfuHVxrd4zKQbMF+/4n7WAwXO51+QrPoGfnow1qjgUtgnbbOs2/HyJ+2UbIYB7qSYp LK1NkTKEwB6Dstbg8j+yrd36Hj84LXWjDjSMMZqC9dp0mjYrOgaYsIy+9untxnoLdgKd wtbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=2FlA6WENYcIeMbKIEg1NF1SWZyoW4QBPqaOTh+wRoj8=; b=atHDJo0FHE21K6P17Dq31l+CILxauHSiub6KB0nNJ6ZvPsUuLoQYVPFeMnwy8V63Kb 3/Gezw4pc9/DJIXBnHXKrzj2sOnx/BbOo7U6KFswXooceIyHRWhucw8POzfJc/Uc6gjB ASDLNEFfbJMT2geuVfPFnc+pDu38P+JXvMxRBIRti11dZ/CSKo8tW7khoxFzPnLxcGTT /nioOOwH1ysJftvjOPunu3qCWwbALdvje2p+YMlRccBbuobQpGxg85MjUC1IdVUzwhNj CpeXrGnx5f+5SJiIrpQlZEq9RqjlThinKFSZQceylyT8MQh5L+YI+nRLf0tdoWdpfE7y sMiQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id q187si57733wme.2.2020.04.29.01.11.36 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Apr 2020 01:11:36 -0700 (PDT) Received-SPF: pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of quirin.gylstorff@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=quirin.gylstorff@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 03T8Balw004724 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Apr 2020 10:11:36 +0200 Received: from [139.22.46.171] ([139.22.46.171]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 03T8Ba9X006595; Wed, 29 Apr 2020 10:11:36 +0200 Subject: Re: [PATCH] sshd-regen-keys: fix race condition To: Jan Kiszka , isar-users@googlegroups.com, Baurzhan Ismagulov References: <20200312164837.20377-1-Quirin.Gylstorff@siemens.com> <20200413162202.zvkalsae6gxksmn2@yssyq.m.ilbers.de> <82ef1e5c-42c6-8a53-b3d3-cbb3fa6a977b@siemens.com> From: Gylstorff Quirin Message-ID: <99e1c48b-8717-bc56-f2fc-7d3299a15c66@siemens.com> Date: Wed, 29 Apr 2020 10:11:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <82ef1e5c-42c6-8a53-b3d3-cbb3fa6a977b@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-TUID: gSJO4VRuBq8E The problem as shown at my system was that in sshd-regen-keys calls dpkg-reconfigure which calls systemd restart ssh. The restart of ssh is blocked by the oneshot. If you use an onshot without dpkg-reconfigure it is no problem. So it is oneshot.service starts -> systemd restart some.service -> error simple.service starts -> systemd restart some.service -> ok This occures on Debian 10. Quirin On 4/28/20 8:22 AM, Jan Kiszka wrote: > On 13.04.20 18:22, Baurzhan Ismagulov wrote: >> Hello Quirin, >> >> On Thu, Mar 12, 2020 at 05:48:37PM +0100, Q. Gylstorff wrote: >>> Systemd waits with starting service until a oneshot is finished this >>> leads >>> to a race condition if you try to restart a service in a oneshot. >>> >>> "Behavior of oneshot is similar to simple; however, the service >>> manager will consider >>> the unit started after the main process exits. It will then start >>> follow-up units. >>> RemainAfterExit= is particularly useful for this type of service. >>> Type=oneshot is the >>> implied default if neither Type= nor ExecStart= are specified."[1] >>> >>> [1]: man systemd.service >> >> Could you please help me understand the race you are facing? I've gone >> through >> a couple of scenarios and couldn't identify one. >> >> >> Apart from that, systemctl(1) says for enable: >> >> "Note that this does not have the effect of also starting any of the >> units >> being enabled. If this is desired, combine this command with the --now >> switch, >> or invoke start with appropriate arguments later." >> >> Similarly, for disable: >> >> "Note that this command does not implicitly stop the units that are being >> disabled. If this is desired, either combine this command with the --now >> switch, or invoke the stop command with appropriate arguments later." >> >> Considering the following scenario: >> >> 1. systemd starts ssh. It reads e.g. one key file but not others. >> >> 2. systemd starts sshd-regen-keys.sh. It disables ssh but doesn't stop >> it, then >>     removes the keys. >> >> 3. sshd continues reading the other keys. >> >> Is it possible that sshd finds inconsistent set of keys or doesn't >> find the >> other keys? Shouldn't we specify --now for both enable and disable? >> >> >> With kind regards, >> Baurzhan. >> > > Quirin, I think this is still open, and - being about to create another > one-shot service - I was wondering whether we need to fix more services. > > Baurzhan, please fix your client settings so that you always preserve CC > lists when replying. > > Thanks, > Jan > -- Quirin Gylstorff Siemens AG Corporate Technology Research in Digitalization and Automation Smart Embedded Systems CT RDA IOT SES-DE Otto-Hahn-Ring 6 81739 Muenchen, Germany Mobile: +49 173 3746683 mailto:quirin.gylstorff@siemens.com www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.